CVE-2026-23423 - Vulnerability Details

- btrfs: free pages on error in btrfs_uring_read_extent()

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: free pages on error in btrfs_uring_read_extent()

In this function the 'pages' object is never freed in the hopes that it is
picked up by btrfs_uring_read_finished() whenever that executes in the
future. But that's just the happy path. Along the way previous
allocations might have gone wrong, or we might not get -EIOCBQUEUED from
btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a
cleanup section that frees all memory allocated by this function without
assuming any deferred execution, and this also needs to happen for the
'pages' allocation.

Published: 2026-04-03

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an oversight in the btrfs file system’s URING read handler, where the pages buffer is not freed during error conditions. This can cause kernel memory to be held indefinitely, allowing an attacker who can trigger repeated read errors to deplete system memory and potentially crash or degrade the host. The weakness is a classic memory management flaw, documented as CWE‑772.

Affected Systems

The issue affects the Linux kernel, specifically the Btrfs subsystem in all kernel releases that lack the committed fix. No explicit version range is provided; any kernel still containing the pre‑fix code is susceptible.

Risk and Exploitability

With a CVSS score of 5.5, the severity is moderate, and the EPSS score is under 1 %, indicating a low likelihood of widespread exploitation. The flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be a local or privileged user capable of inducing read errors on Btrfs volumes, as the memory leak occurs within kernel land.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`34310c442e175f286b4c06ab5caa4e0b267ea31c`	affected	< d4f210de01eaccac61eee657f676045ef9771d07
`34310c442e175f286b4c06ab5caa4e0b267ea31c`	affected	< 628895890b0c9ac9129129e89455da7db95ba343
`34310c442e175f286b4c06ab5caa4e0b267ea31c`	affected	< 3f501412f2079ca14bf68a18d80a2b7a823f1f64

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[34310c442e175f286b4c06ab5caa4e0b267ea31c,d4f210de01eaccac61eee657f676045ef9771d07)`	affected	code_commit	—
`[34310c442e175f286b4c06ab5caa4e0b267ea31c,628895890b0c9ac9129129e89455da7db95ba343)`	affected	code_commit	—
`[34310c442e175f286b4c06ab5caa4e0b267ea31c,3f501412f2079ca14bf68a18d80a2b7a823f1f64)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.13`	affected	generic	—
`[0,6.13)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	generic	—
`[6.19.7,6.20.0)`	unaffected	generic	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the fix for CVE‑2026‑23423. This will release the unfreed pages during error handling.
If an immediate kernel update is not feasible, apply the specific commit referenced in the provided links to the kernel source tree, rebuild, and reboot the system.
Monitor kernel memory usage for sustained increases that could indicate the presence of the leak, and isolate affected hosts until a patch is applied.

Generated by OpenCVE AI on April 7, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3f501412f2079ca14bf68a18d80a2b7a823f1f64
https://git.kernel.org/stable/c/628895890b0c9ac9129129e89455da7db95ba343
https://git.kernel.org/stable/c/d4f210de01eaccac61eee657f676045ef9771d07
https://lore.kernel.org/linux-cve-announce/2026040304-CVE-2026-23423-96fa@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23423
https://www.cve.org/CVERecord?id=CVE-2026-23423

History

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026040304-CVE-2026-23423-96fa@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23423 https://www.cve.org/CVERecord?id=CVE-2026-23423
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Fri, 03 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: btrfs: free pages on error in btrfs_uring_read_extent() In this function the 'pages' object is never freed in the hopes that it is picked up by btrfs_uring_read_finished() whenever that executes in the future. But that's just the happy path. Along the way previous allocations might have gone wrong, or we might not get -EIOCBQUEUED from btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a cleanup section that frees all memory allocated by this function without assuming any deferred execution, and this also needs to happen for the 'pages' allocation.
Title		btrfs: free pages on error in btrfs_uring_read_extent()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3f501412f2079ca14bf68a18d80a2b7a823f1f64 https://git.kernel.org/stable/c/628895890b0c9ac9129129e89455da7db95ba343 https://git.kernel.org/stable/c/d4f210de01eaccac61eee657f676045ef9771d07

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T13:24:31.966Z

Updated: 2026-04-03T13:24:31.966Z

Reserved: 2026-01-13T15:37:46.015Z

Link: CVE-2026-23423

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T14:16:28.487

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-23423

Redhat

Severity : Low

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23423 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:54:14Z

Weaknesses

CWE-772

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object